WhatsApp Flaw Makes Your 'Private' Messages Easy to Read

Popular instant-messaging app WhatsApp backs up messages on Android in an insecure way, according to one security researcher — and it isn't the first WhatsApp security flaw.

WhatsApp may be riding high since Facebook last month agreed to buy the five-year-old startup for a stunning $19 billion. But security experts have long had concerns about how WhatsApp encrypts users' conversations and what kind of private contact information the app collects from users' phones.

WhatsApp stores an archive of your messages on the phone's SD card, which is not a secure storage area. Many other apps also require permission to access the SD card, and most Android users have no choice but to grant it if they want those apps.

In a blog posting yesterday (March 11), Dutch security researcher Bas Bosschert said he and his brother Thijs created a proof-of-concept exploit that showed any app with access to the SD card could read and transmit the database of WhatsApp messages.

By default, WhatsApp backs up your chats to your phone's SD card daily, according to the app's Android FAQ. From the app's "Chat Settings" menu, users can also manually back up chats, or delete all conversations. However, on the same FAQ, WhatsApp says users can recover deleted chats by uninstalling and reinstalling the app and then tapping "Restore."

The Bosschert brothers also showed that the database's encryption is so weak that "we can simply decrypt this database using a simple Python script."

The two said an attacker could easily create a malicious app that accesses a phone's SD card and then uploads the WhatsApp database to a remote server. The attacker could even hide the necessary code in another app, such as a Flappy Bird clone, in order to trick people into downloading it.

This vulnerability is the latest in a string of WhatsApp security snafus. Last fall, researchers showed that WhatsApp used the same encryption key for every message in a given conversation.

If attackers captured just part of an encrypted WhatsApp conversation (via a man-in-the-middle attack, for example), and guessed part of one message's contents, they could then use simple math to identify the mathematical similarities between the messages, i.e. the encryption key. The key could then decrypt the entirety of the conversation.

WhatsApp also collects personal information from devices on which it's installed and stores the data on the company's servers. This is hugely valuable information for marketers and advertisers; some experts have argued that Facebook's $19 billion for WhatsApp really works out to $42 for each contact list extracted from WhatsApp's 450 million users.

WhatsApp is far from the only insecure messaging app. If you're serious about wanting to keep your messages private and secure, Wickr and Silent Circle's Silent Text app are considered among the best.